Privacy by Design (PbD) is based on seven principles that help businesses be proactive when it comes to data privacy and build privacy into the very heart of their projects, processes and core activities.
The concept was created and defined by Dr Ann Cavoukian, Ph.D, an Executive Director of the Global Privacy & Security by Design Centre and previously the Information and Privacy Commissioner, Ontario, Canada. Work began in 1995 but it was formally launched and accepted in 2010.
Why are the 7 Principles of Privacy by Design important?
Privacy by Design is one of the key principles of data optimization – the art and science of making the most of your business’ data without compromising your legal obligations or data ethics.
It’s not just a framework to aspire to; privacy laws, such as GDPR explicitly mandate that organizations need to consider Privacy by Design at the earliest stages possible of any project, and throughout the entire lifecycle. This is key to ensuring ongoing adherence to the regulation – and many more as the structure of GDPR is emulated in more and more territories’ own privacy legislation.
When are the 7 Principles of Privacy by Design relevant?
Fundamentally, if any activity is dependent upon or even tangentially connected to, the use of personal data (so, most activities then), Privacy by Design is essential to ensure that you are continuously treating your data subjects legally, appropriately and frankly, ethically.
What are the 7 Principles of Privacy by Design?
1. Proactive not reactive; preventative not remedial
Proactively anticipate privacy-invasive events before they happen, rather than rely on identifying and reacting to issues as they threaten.
- Privacy as the default
This insists that the maximum degree of privacy should be delivered by default, from the very start and throughout its lifecycle, automatically. A key part of this is ensuring that only as much data as is genuinely necessary is collected, no more. If this is ensured, then the potential to undermine privacy is markedly reduced.
- Privacy embedded into the design
To ensure that privacy is integrated into the initial stages of a product’s design and architecture as well as IT systems and business practices. By considering privacy at the design stage, privacy can be achieved at the same time as ensuring the functionality and productivity of the project. In contrast, if privacy is retro-fitted, it will invariably hinder the project’s capability as the original design will have relied upon illicit freedom in the use of data.
- Full functionality — positive-sum, not zero-sum
This ensures that whilst privacy is embedded at the very core, functionality doesn’t suffer. Businesses need to accommodate all legitimate interests and objectives in a positive-sum “win-win” manner, not through a dated, zero-sum approach, where unnecessary trade-offs are made.
- End-to-end security — lifecycle protection
An essential part of data privacy and protection is security. Privacy by Design ensures that IT security is present from data collection, through to storage and eventual deletion.
- Visibility and transparency
This makes sure that all stakeholders (particularly data subjects) are informed of the business’s privacy practices and policies and that they clearly state how data will be processed, stored and erased, as well as any technologies used.
- Respect for user privacy
Provide data subjects with all the tools required to uphold their privacy rights – from clear and transparent privacy notices, strong privacy defaults and user-friendly interfaces. As well as ensuring all personal data is accurate and up-to-date.
The seven principles of Privacy by Design enable organizations to design better products and ensure that they are privacy-compliant from the very start.
If your business is facing a new data project, our team of Privacy Architects can help.
With equal expertise in cloud technology and environments, data insights such as machine learning, data analytics and data visualizations, as well as data privacy legislation, our team will ensure your data project does not overtake your Privacy by Design obligations, nor hamper any of your ambitions.